pinpointing delay and forwarding anomalies using large
play

Pinpointing Delay and Forwarding Anomalies Using Large-Scale - PowerPoint PPT Presentation

Oct 18, 2022 •141 likes •499 views

Pinpointing Delay and Forwarding Anomalies Using Large-Scale Traceroute Measurements Romain Fontugne 1 , Emile Aben 2 , Cristel Pelsser 3 , Randy Bush 1 November 1, 2017 1 IIJ Research Lab, 2 RIPE NCC, 3 University of Strasbourg / CNRS 1 / 25

  1. Pinpointing Delay and Forwarding Anomalies Using Large-Scale Traceroute Measurements Romain Fontugne 1 , Emile Aben 2 , Cristel Pelsser 3 , Randy Bush 1 November 1, 2017 1 IIJ Research Lab, 2 RIPE NCC, 3 University of Strasbourg / CNRS 1 / 25

  2. Understanding Internet health? 2 / 25

  3. Understanding Internet health? 2 / 25

  4. Understanding Internet health? 2 / 25

  5. Understanding Internet health? (Problems) Manual observations • Traceroute / Ping / Operators’ group mailing lists • Slow process • Small visibility 3 / 25

  6. Understanding Internet health? (Problems) Manual observations • Traceroute / Ping / Operators’ group mailing lists • Slow process • Small visibility → Our goal: Systematically pinpoint network disruptions • Delay changes • Forwarding anomalies (not covered here, see the paper) 3 / 25

  7. Silly solution: frequent traceroutes to the whole Internet! → Doesn’t scale → Overload the network 4 / 25

  8. Better solution: mine results from deployed platforms → Cooperative and distributed approach → Using existing data, no added burden to the network 5 / 25

  9. RIPE Atlas Actively measures Internet connectivity • Multiple types of measurement: ping, traceroute , DNS, SSL, NTP and HTTP • 10 000 active probes! • Data for numerous measurements is made publicly available 6 / 25

  10. RIPE Atlas: traceroutes Two repetitive large-scale measurements • Builtin : traceroute every 30 minutes to all DNS root servers ( ≈ 500 server instances) • Anchoring : traceroute every 15 minutes to 189 collaborative servers Analyzed dataset • May to December 2015 • 2.8 billion IPv4 traceroutes • 1.2 billion IPv6 traceroutes 7 / 25

  11. Monitor delays with traceroute? Traceroutes from CZ to BD 300 250 200 RTT (ms) 150 100 50 Challenges: 0 0 6 8 10 2 4 12 Number of hops • Noisy data • Traffic asymmetry • Packet loss 8 / 25

  12. Monitor delays with traceroute? Traceroute to “www.target.com” Round Trip Time (RTT) between B and C? Report abnormal RTT between B and C? 9 / 25

  13. What is the RTT between B and C? ? Differential RTT : ∆ CB = RTT C - RTT B = RTT CB 10 / 25

  14. What is the RTT between B and C? RTT C - RTT B = RTT CB ? • No! • Traffic is asymmetric • RTT B and RTT C take different return paths! 11 / 25

  15. What is the RTT between B and C? RTT C - RTT B = RTT CB ? • No! • Traffic is asymmetric • RTT B and RTT C take different return paths! • Differential RTT : ∆ CB = RTT C − RTT B = d BC + e p 11 / 25

  16. Problem with differential RTT Monitoring ∆ CB over time: 30 20 ∆ RTT 10 0 Time → Delay change on BC? CD? DA? BA??? 12 / 25

  17. Proposed Approach: Use probes with different return paths Differential RTT: ∆ CB = x 0 13 / 25

  18. Proposed Approach: Use probes with different return paths Differential RTT: ∆ CB = { x 0 , x 1 } 13 / 25

  19. Proposed Approach: Use probes with different return paths Differential RTT: ∆ CB = { x 0 , x 1 , x 2 , x 3 , x 4 } 13 / 25

  20. Proposed Approach: Use probes with different return paths Differential RTT: ∆ CB = { x 0 , x 1 , x 2 , x 3 , x 4 } Median ∆ CB : • Stable if a few return paths delay change • Fluctuate if delay on BC changes 13 / 25

  21. Median Diff. RTT: Example Tier1 link, 2 weeks of data, 95 probes: 130.117.0.250 (Cogent, Zurich) - 154.54.38.50 (Cogent, Munich) 400 Differential RTT (ms) 300 Raw values 200 100 0 −100 −200 −300 −400 5.6 Differential RTT (ms) 5.4 5.2 5.0 Median Diff. RTT Normal Reference 4.8 5 5 5 5 5 5 5 1 1 1 1 1 1 1 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2 4 6 8 0 2 4 0 0 0 0 1 1 1 n n n n n n n u u u u u u u J J J J J J J • Stable despite noisy RTTs • Conf. interval: Wilson score • Normally distributed • Normal ref.: exp. smooth. 14 / 25

  22. Detecting Delay Changes 72.52.92.14 (HE, Frankfurt) - 80.81.192.154 (DE-CIX (RIPE)) 30 Differential RTT (ms) 25 Median Diff. RTT 20 Normal Reference 15 Detected Anomalies 10 5 0 −5 −10 5 5 5 5 5 5 1 1 1 1 1 1 0 0 0 0 0 0 2 2 2 2 2 2 6 7 8 9 0 1 2 2 2 2 3 0 v v v v v c o o o o o e N N N N N D Significant RTT changes: Confidence interval not overlapping with the normal reference 15 / 25

  23. Results Analyzed dataset • Atlas builtin / anchoring measurements • From May to Dec. 2015 • Observed 262k IPv4 and 42k IPv6 links We found a lot of delay changes! Let’s see only two prominent examples 16 / 25

  24. Case study: DDoS on DNS root servers Two attacks: • Nov. 30th 2015 • Dec. 1st 2015 Almost all server are anycast • Congestion at the 531 sites? • Found 129 instances altered by the attacks 17 / 25

  25. Observed delay changes 193.0.14.129 (K -root) - 74.208.6.124 (1&1, Kansas City) 12 Differential RTT (ms) 10 Median Diff. RTT 8 Normal Reference 6 4 Detected Anomalies 2 0 −2 −4 5 5 5 5 5 5 1 1 1 1 1 1 0 0 0 0 0 0 2 2 2 2 2 2 6 7 8 9 0 1 2 2 2 2 3 0 v v v v v c o o o o o e N N N N N D • Certain servers are 72.52.92.14 (HE, Frankfurt) - 80.81.192.154 (DE-CIX (RIPE)) 30 Differential RTT (ms) 25 Median Diff. RTT affected only by one 20 Normal Reference 15 10 Detected Anomalies attack 5 0 −5 −10 • Continuous attack in 5 5 5 5 5 5 1 1 1 1 1 1 0 0 0 0 0 0 2 2 2 2 2 2 6 7 8 9 0 1 2 2 2 2 3 0 v v v v v c o o o o o e N N N N N D Russia 188.93.16.77 (Selectel, St. Petersburg) - 95.213.189.0 (Selectel, Moscow) 10 Differential RTT (ms) 9 8 7 6 5 4 3 2 5 5 5 5 5 5 1 1 1 1 1 1 0 0 0 0 0 0 2 2 2 2 2 2 6 7 8 9 0 1 2 2 2 2 3 0 v v v v v c o o o o o e N N N N N D 18 / 25

  26. Unaffected root servers 193.0.14.129 (K -root) - 212.191.229.90 (Poznan, PL) 0.14 Differential RTT (ms) 0.12 0.10 0.08 0.06 0.04 Median Diff. RTT 0.02 0.00 Normal Reference −0.02 −0.04 5 5 5 5 5 5 1 1 1 1 1 1 0 0 0 0 0 0 2 2 2 2 2 2 6 7 8 9 0 1 2 2 2 2 3 0 v v v v v c o o o o o e N N N N N D Very stable delay during the attacks • Thanks to anycast! • Far from the attackers 19 / 25

  27. Congested links for servers F, I, and K → Concentration of malicious traffic at IXPs 20 / 25

  28. Case study: Telekom Malaysia BGP leak 21 / 25

  29. Case study: Telekom Malaysia BGP leak 22 / 25

  30. Case study: Telekom Malaysia BGP leak 22 / 25

  31. Case study: Telekom Malaysia BGP leak 22 / 25

  32. Case study: Telekom Malaysia BGP leak Not only with Google... but about 170k prefixes! 22 / 25

  33. Congestion in Level3 Rerouted traffic has congested Level3 (120 reported links) • Example: 229ms increase between two routers in London! 67.16.133.130 - 67.17.106.150 350 Differential RTT (ms) 300 Median Diff. RTT 250 Normal Reference 200 Detected Anomalies 150 100 50 0 −50 5 5 5 5 5 5 1 1 1 1 1 1 0 0 0 0 0 0 2 2 2 2 2 2 8 9 0 1 2 3 0 0 1 1 1 1 n n n n n n u u u u u u J J J J J J 23 / 25

  34. Congestion in Level3 Reported links in London: Delay increase Delay & packet loss → Traffic staying within UK/Europe may also be altered 24 / 25

  35. Summary Detect and locate delay and forwarding anomalies in billions of traceroutes • Non-parametric and robust statistics • Diverse root causes: remote attacks, routing anomalies, etc... • Give a lot of new insights on reported events Online detection for network operators • http://ihr.iijlab.net/ 25 / 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

REQUEST AGGREGATION, CACHING, AND FORWARDING STRATEGIES FOR IMPROVING LARGE CLIMATE DATA

REQUEST AGGREGATION, CACHING, AND FORWARDING STRATEGIES FOR IMPROVING LARGE CLIMATE DATA

REQUEST AGGREGATION, CACHING, AND FORWARDING STRATEGIES FOR IMPROVING LARGE CLIMATE DATA DISTRIBUTION WITH NDN: A CASE STUDY Susmit Shannigrahi, Chengyu Fan, Christos Papadopoulos Colorado State University ICN 2017, Berlin Large Scientifjc

408 views • 26 slides
Detection of DNS Traffic Anomalies in Large Networks Milan ermk, Pavel eleda, Jan Vykopal

Detection of DNS Traffic Anomalies in Large Networks Milan ermk, Pavel eleda, Jan Vykopal

Detection of DNS Traffic Anomalies in Large Networks Milan ermk, Pavel eleda, Jan Vykopal {cermak|celeda|vykopal}@ics.muni.cz 20th Eunice Open European Summer School and Conference 2014 1-5 September 2014, Rennes, France Part I

897 views • 36 slides
Patterns and Anomalies Christos Faloutsos CMU CMU SCS Thank you The Department of

Patterns and Anomalies Christos Faloutsos CMU CMU SCS Thank you The Department of

CMU SCS Mining Large Social Networks: Patterns and Anomalies Christos Faloutsos CMU CMU SCS Thank you The Department of Informatics Happy 20-th! Prof. Yannis Manolopoulos Prof. Kostas Tsichlas Mrs. Nina Daltsidou AUTH, May

743 views • 55 slides
Pinpointing Influence in Panagiotis Liakos 1 Katia Papakonstantinopoulou 1 Michael Sioutis 2

Pinpointing Influence in Panagiotis Liakos 1 Katia Papakonstantinopoulou 1 Michael Sioutis 2

Pinpointing Influence in Panagiotis Liakos 1 Katia Papakonstantinopoulou 1 Michael Sioutis 2 Konstantinos Tsakalozos 3 Alex Delis 1 1 University of Athens 2 Universit e dArtois, CRIL 3 Canonical Group Ltd. 2 nd International Workshop on

738 views • 32 slides
Interconnect Gate delay Wire delay The delay in VLSI circuits have two components Gate delay (

Interconnect Gate delay Wire delay The delay in VLSI circuits have two components Gate delay (

Advanced Digital IC-Design Propagation Delay Lumped C p Distributed model C model Interconnect Gate delay Wire delay The delay in VLSI circuits have two components Gate delay ( t pHL / t pLH ) Wire (interconnect) delay ( t w ) The Wire

492 views • 20 slides
Mining Anomalies Andrzej Wasylkowski 1 Why Mine Anomalies? How can we make programs more

Mining Anomalies Andrzej Wasylkowski 1 Why Mine Anomalies? How can we make programs more

Mining Anomalies Andrzej Wasylkowski 1 Why Mine Anomalies? How can we make programs more reliable? Testing, code inspection, etc. Mining anomalies, etc. In general: automatic defect detection 2 Overview Automatic Defect

446 views • 19 slides
Memphis on an XT5 Pinpointing Memory Performance Problems on Cray Platforms Collin McCurdy,

Memphis on an XT5 Pinpointing Memory Performance Problems on Cray Platforms Collin McCurdy,

Memphis on an XT5 Pinpointing Memory Performance Problems on Cray Platforms Collin McCurdy, Jeffrey Vetter , Patrick Worley and Don Maxwell Overview Current projections: each chip in an Exascale system will contain 100s to 1000s of

430 views • 27 slides
Integrated True-Time-Delay based Large-Scale Arrays for Spatially Diverse Applications PI: I: Su

Integrated True-Time-Delay based Large-Scale Arrays for Spatially Diverse Applications PI: I: Su

WASHING INGTO TON STATE TE UNIVERSIT NIVERSITY Integrated True-Time-Delay based Large-Scale Arrays for Spatially Diverse Applications PI: I: Su Subha hanshu nshu Gupta ta Graduate uate student( dent(s): Erfan Ghaderi, Chase Puglisi,

553 views • 39 slides
draft-ietf-mpls-forwarding-02 MPLS Forwarding Compliance and Performance Requirements Curtis

draft-ietf-mpls-forwarding-02 MPLS Forwarding Compliance and Performance Requirements Curtis

draft-ietf-mpls-forwarding-02 MPLS Forwarding Compliance and Performance Requirements Curtis Villamizar (OCCNC) Kireeti Kompella (Contrail) Shane Amante (Level 3) Andrew Malis (Verizon) Carlos Pignataro (Cisco) Note: Authors believe this

652 views • 47 slides
RC delay 4: The Elmore delay - 3 Application of the Elmore delay formula to a (RC) wire. Let R

RC delay 4: The Elmore delay - 3 Application of the Elmore delay formula to a (RC) wire. Let R

RC delay 4: The Elmore delay - 3 Application of the Elmore delay formula to a (RC) wire. Let R , C , and l be the total line resistance, capacitance, and length. = = = / ; / ; / r R l c C l L l N N ( ) ( ) ( ) 2

653 views • 16 slides
P Packet Scheduling: k S h d li E d t End-to-End Delay Bounds E d D l B d Delay bounds

P Packet Scheduling: k S h d li E d t End-to-End Delay Bounds E d D l B d Delay bounds

P Packet Scheduling: k S h d li E d t End-to-End Delay Bounds E d D l B d Delay bounds (Simon S. Lam) 1 2/7/2017 1 References References Delay Guarantee of Virtual Clock server Geoffrey G. Xie and Simon S. Lam, Delay

696 views • 43 slides
b s b c anomalies anomalies Found by LHCb (and perhaps Found by several experiments

b s b c anomalies anomalies Found by LHCb (and perhaps Found by several experiments

b s b c anomalies anomalies Found by LHCb (and perhaps Found by several experiments hinted by Belle) (LHCb, BaBar and Belle) Many observables: global pattern Two observables: R(D) and R(D*) Neutral current Charged current 1-loop

342 views • 19 slides
Ethernet Switches layer 2 (frame) forwarding, filtering using LAN addresses Switching:

Ethernet Switches layer 2 (frame) forwarding, filtering using LAN addresses Switching:

Ethernet Switches layer 2 (frame) forwarding, filtering using LAN addresses Switching: A-to-B and A-to- Medium Access Layer B simultaneously, no collisions large number of interfaces often: individual hosts, star-

297 views • 8 slides
SOLUTIONS General Cargo Project Forwarding Industrial Services Dextra Industry and

SOLUTIONS General Cargo Project Forwarding Industrial Services Dextra Industry and

FORWARDING SOLUTIONS General Cargo Project Forwarding Industrial Services Dextra Industry and Transport www.dextragroup.com Vision To be a global leader in engineering and delivery of high value forwarding services: custom clearance,

568 views • 20 slides
11 Introduction Introduction M/M/1 Queueing delay (revisited) R=link bandwidth (bps)

11 Introduction Introduction M/M/1 Queueing delay (revisited) R=link bandwidth (bps)

Introduction Introduction Four sources of packet delay Delay in packet-switched networks 3. Transmission delay: 4. Propagation delay: 1. nodal processing: 2. queueing R=link bandwidth (bps) d = length of physical link check

185 views • 3 slides
Medium Access Layer Ethernet Switches layer 2 (frame) forwarding, filtering using LAN

Medium Access Layer Ethernet Switches layer 2 (frame) forwarding, filtering using LAN

Medium Access Layer Ethernet Switches layer 2 (frame) forwarding, filtering using LAN addresses Switching: A-to-B and A-to- B simultaneously, no collisions large number of interfaces often: individual hosts, star-

462 views • 45 slides
CSE 484 / CSE M 584: Computer Security and Privacy Spring 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee,

735 views • 36 slides
CPS: Market Analysis of Attacks Against Demand Response in the Smart Grid Carlos Barreto,

CPS: Market Analysis of Attacks Against Demand Response in the Smart Grid Carlos Barreto,

CPS: Market Analysis of Attacks Against Demand Response in the Smart Grid Carlos Barreto, carlos.barretosuarez@utdallas.edu Alvaro A. Cardenas, alvaro.cardenas@utdallas.edu Nicanor Quijano, nquijano@uniandes.edu.co Eduardo Mojica,

330 views • 20 slides
iCAST / TRUST Collaboration Year 2 - Kickoff Meeting Robin Sommer International Computer Science

iCAST / TRUST Collaboration Year 2 - Kickoff Meeting Robin Sommer International Computer Science

iCAST / TRUST Collaboration Year 2 - Kickoff Meeting Robin Sommer International Computer Science Institute robin@icsi.berkeley.edu http://www.icir.org Projects Overview Project 1 NIDS Evasion Testing in a Live Context Project 2

420 views • 21 slides
Security III: Availability, DDoS, and Routing Security 15-441 Fall 2019 Profs Peter Steenkiste

Security III: Availability, DDoS, and Routing Security 15-441 Fall 2019 Profs Peter Steenkiste

Security III: Availability, DDoS, and Routing Security 15-441 Fall 2019 Profs Peter Steenkiste & Justine Sherry Your Feedback I like to think of Dr. Weiss as my teaching teacher They require students to go over algorithms weve

1.3k views • 79 slides
Client puzzles for denial-of-service resistant authentication Joint work with Juan Gonzalez,

Client puzzles for denial-of-service resistant authentication Joint work with Juan Gonzalez,

Client puzzles for denial-of-service resistant authentication Joint work with Juan Gonzalez, Lakshmi Kuppusamy, Jothi Rangasamy, Douglas Stebila, Suriadi Suriadi Colin Boyd Information Security Institute Queensland University of Technology

560 views • 32 slides
CS 162 Intro to Programming II Inheritance I 1 Basic

CS 162 Intro to Programming II Inheritance I 1 Basic

CS 162 Intro to Programming II Inheritance I 1 Basic Idea Parent/base/super class Character More general Child/derived/sub class

504 views • 22 slides
Boleslaw Szymanski based on slides by Albert-Lszl Barabsi and Roberta Sinatr a

Boleslaw Szymanski based on slides by Albert-Lszl Barabsi and Roberta Sinatr a

Frontiers of Network Science Fall 2017 Class 19: Robustness II (Chapter 8 in Textbook) Boleslaw Szymanski based on slides by Albert-Lszl Barabsi and Roberta Sinatr a www.BarabasiLab.com Attack threshold for arbitrary P(k) Attack

329 views • 28 slides
Implementing Explanation-Based Argumentation using Answer Set Programming Giovanni Sileno

Implementing Explanation-Based Argumentation using Answer Set Programming Giovanni Sileno

Implementing Explanation-Based Argumentation using Answer Set Programming Giovanni Sileno g.sileno@uva.nl Alexander Boer, Tom van Engers 5 May 2014, ArgMAS presentation Leibniz Center for Law University of Amsterdam Background Argumentation

1.09k views • 61 slides

More recommend